Chef Blogs

FIPS Support Now Generally Available in Chef Client 12.8

Julian Dunn | Posted on | announcements

We recently announced the general availability of Chef Client 12.8 that includes support for running in a FIPS 140-2-compliant mode. FIPS, the Federal Information Processing Standard, is primarily used within the United States Federal Government as a standard for information systems security. This feature helps our government customers, including agencies, contractors and hosting service providers, adopt Chef to become fast, efficient, and innovative software-driven organizations.

How it Works

When FIPS mode is enabled for Chef or Knife, OpenSSL will be configured to run in FIPS mode. This disables cryptography that is explicitly disallowed in FIPS validated software, such as various ciphers and hashing algorithms. Attempting to use disallowed cryptography in FIPS mode will cause Chef Client to throw an exception.

A current exception for Chef is the use of MD5 hashes to uniquely identify files stored on the Chef Server. MD5 is used only to generate unique hash IDs for files, and is not used for any cryptographic purpose. Nevertheless, Chef is investigating the effort required to replace this implementation with a FIPS-compatible algorithm.

Platform Support

At this time, FIPS mode is only supported on Enterprise Linux distributions (e.g. RedHat Enterprise Linux, Oracle Enterprise Linux, CentOS), and Microsoft Windows.

More Information

For more information on how to use Chef Client in a FIPS-140-2 environment, please see the page here: https://docs.chef.io/release/12-8/release_notes.html#fips-mode.